linux

mirror of https://github.com/hardkernel/linux.git synced 2026-03-24 19:40:21 +09:00

Files

Roman Gushchin 33d9490b27 mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()

commit 3b8abb3239 upstream.

KCSAN found an issue in obj_stock_flush_required():
stock->cached_objcg can be reset between the check and dereference:

==================================================================
BUG: KCSAN: data-race in drain_all_stock / drain_obj_stock

write to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0:
 drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306
 refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340
 obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408
 memcg_slab_free_hook mm/slab.h:587 [inline]
 __cache_free mm/slab.c:3373 [inline]
 __do_kmem_cache_free mm/slab.c:3577 [inline]
 kmem_cache_free+0x105/0x280 mm/slab.c:3602
 __d_free fs/dcache.c:298 [inline]
 dentry_free fs/dcache.c:375 [inline]
 __dentry_kill+0x422/0x4a0 fs/dcache.c:621
 dentry_kill+0x8d/0x1e0
 dput+0x118/0x1f0 fs/dcache.c:913
 __fput+0x3bf/0x570 fs/file_table.c:329
 ____fput+0x15/0x20 fs/file_table.c:349
 task_work_run+0x123/0x160 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171
 exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1:
 obj_stock_flush_required mm/memcontrol.c:3319 [inline]
 drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361
 try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703
 try_charge mm/memcontrol.c:2837 [inline]
 mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290
 sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025
 sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525
 udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692
 udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817
 sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668
 __sys_setsockopt+0x1c3/0x230 net/socket.c:2271
 __do_sys_setsockopt net/socket.c:2282 [inline]
 __se_sys_setsockopt net/socket.c:2279 [inline]
 __x64_sys_setsockopt+0x66/0x80 net/socket.c:2279
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0xffff8881382d52c0 -> 0xffff888138893740

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

Fix it by using READ_ONCE()/WRITE_ONCE() for all accesses to
stock->cached_objcg.

Link: https://lkml.kernel.org/r/20230502160839.361544-1-roman.gushchin@linux.dev
Fixes: bf4f059954 ("mm: memcg/slab: obj_cgroup API")
Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
Reported-by: syzbot+774c29891415ab0fd29d@syzkaller.appspotmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
  Link: https://lore.kernel.org/linux-mm/CACT4Y+ZfucZhM60YPphWiCLJr6+SGFhT+jjm8k1P-a_8Kkxsjg@mail.gmail.com/T/#t
Reviewed-by: Yosry Ahmed <yosryahmed@google.com>
Acked-by: Shakeel Butt <shakeelb@google.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2023-08-11 12:08:23 +02:00

damon

mm/damon/ops-common: atomically test and clear young on ptes and pmds

2023-07-19 16:22:11 +02:00

kasan

kasan: add kasan_tag_mismatch prototype

2023-07-23 13:49:32 +02:00

kfence

mm: kfence: fix handling discontiguous page

2023-04-13 16:55:30 +02:00

kmsan

mm: kmsan: handle alloc failures in kmsan_vmap_pages_range_noflush()

2023-04-26 14:28:41 +02:00

backing-dev.c

writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs

2023-04-26 14:28:39 +02:00

balloon_compaction.c

mm: Convert all PageMovable users to movable_operations

2022-08-02 12:34:03 -04:00

bootmem_info.c

bootmem: remove the vmemmap pages from kmemleak in put_page_bootmem

2022-08-28 14:02:45 -07:00

cma_debug.c

mm/cma_debug: show complete cma name in debugfs directories

2022-09-11 20:25:50 -07:00

cma_sysfs.c

mm: cma: support sysfs

2021-05-05 11:27:24 -07:00

cma.c

Revert "mm/cma.c: remove redundant cma_mutex lock"

2022-05-13 15:11:26 -07:00

cma.h

mm/cma: provide option to opt out from exposing pages on activation failure

2022-03-22 15:57:09 -07:00

compaction.c

Revert "mm/compaction: fix set skip in fast_find_migrateblock"

2023-02-01 08:34:49 +01:00

debug_page_ref.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

debug_vm_pgtable.c

docs: rename Documentation/vm to Documentation/mm

2022-06-27 12:52:53 -07:00

debug.c

mm: remove the vma linked list

2022-09-26 19:46:26 -07:00

dmapool.c

mm/dmapool.c: revert "make dma pool to use kmalloc_node"

2022-01-15 16:30:28 +02:00

early_ioremap.c

mm/early_ioremap: declare early_memremap_pgprot_adjust()

2022-03-22 15:57:11 -07:00

fadvise.c

riscv: compat: syscall: Add compat_sys_call_table implementation

2022-04-26 13:36:25 -07:00

failslab.c

mm: fix unexpected changes to {failslab|fail_page_alloc}.attr

2022-11-22 18:50:44 -08:00

filemap.c

mm/filemap: fix page end in filemap_get_read_batch

2023-02-22 12:59:49 +01:00

folio-compat.c

mm: remove try_to_free_swap()

2022-10-03 14:02:53 -07:00

frontswap.c

frontswap: don't call ->init if no ops are registered

2022-09-26 12:14:34 -07:00

gup_test.c

mm: rename is_pinnable_page() to is_longterm_pinnable_page()

2022-07-17 17:14:27 -07:00

gup_test.h

selftests/vm: gup_test: fix test flag

2021-05-05 11:27:26 -07:00

gup.c

mm: always expand the stack with the mmap write lock held

2023-07-01 13:16:25 +02:00

highmem.c

highmem: fix kmap_to_page() for kmap_local_page() addresses

2022-10-12 18:51:51 -07:00

hmm.c

mm/swap: add swp_offset_pfn() to fetch PFN from swap entry

2022-09-26 19:46:05 -07:00

huge_memory.c

mm/huge_memory.c: warn with pr_warn_ratelimited instead of VM_WARN_ON_ONCE_FOLIO

2023-04-26 14:28:41 +02:00

hugetlb_cgroup.c

hugetlb_cgroup: use helper for_each_hstate and hstate_index

2022-09-11 20:25:53 -07:00

hugetlb_vmemmap.c

mm: hugetlb_vmemmap: include missing linux/moduleparam.h

2022-11-08 15:57:23 -08:00

hugetlb_vmemmap.h

mm: hugetlb_vmemmap: improve hugetlb_vmemmap code readability

2022-08-08 18:06:43 -07:00

hugetlb.c

mm/hugetlb: fix uffd wr-protection for CoW optimization path

2023-04-13 16:55:36 +02:00

hwpoison-inject.c

mm/hwpoison: add __init/__exit annotations to module init/exit funcs

2022-10-03 14:03:05 -07:00

init-mm.c

mm: remove rb tree.

2022-09-26 19:46:16 -07:00

internal.h

mm/page_alloc: make boot_nodestats static

2022-10-03 14:03:30 -07:00

interval_tree.c

mm/interval_tree: add comments to improve code readability

2021-04-30 11:20:38 -07:00

io-mapping.c

mm: add a io_mapping_map_user helper

2021-04-30 11:20:39 -07:00

ioremap.c

mm: ioremap: Add ioremap/iounmap_allowed()

2022-06-27 12:22:31 +01:00

Kconfig

mm: introduce new 'lock_mm_and_find_vma()' page fault helper

2023-07-01 13:16:24 +02:00

Kconfig.debug

mm: page_table_check: Make it dependent on EXCLUSIVE_SYSTEM_RAM

2023-06-14 11:15:29 +02:00

khugepaged.c

mm/khugepaged: check again on anon uffd-wp during isolation

2023-04-26 14:28:41 +02:00

kmemleak.c

mm/kmemleak: prevent soft lockup in kmemleak_scan()'s object iteration loops

2022-10-28 13:37:22 -07:00

ksm.c

mm/ksm: fix race with VMA iteration and mm_struct teardown

2023-03-30 12:49:29 +02:00

list_lru.c

mm: kmem: make mem_cgroup_from_obj() vmalloc()-safe

2022-06-16 19:48:31 -07:00

maccess.c

mm: Fix copy_from_user_nofault().

2023-06-28 11:12:17 +02:00

madvise.c

use less confusing names for iov_iter direction initializers

2023-02-09 11:28:04 +01:00

Makefile

mm: memcontrol: drop dead CONFIG_MEMCG_SWAP config symbol

2022-10-03 14:03:36 -07:00

mapping_dirty_helpers.c

mm: move tlb_flush_pending inline helpers to mm_inline.h

2022-01-15 16:30:27 +02:00

memblock.c

Revert "mm: Always release pages to the buddy allocator in memblock_free_late()."

2023-02-22 12:59:50 +01:00

memcontrol.c

mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()

2023-08-11 12:08:23 +02:00

memfd.c

memfd: check for non-NULL file_seals in memfd_create() syscall

2023-06-28 11:12:27 +02:00

memory_hotplug.c

mm: add pageblock_aligned() macro

2022-10-03 14:03:04 -07:00

memory-failure.c

mm/hwpoison: convert TTU_IGNORE_HWPOISON to TTU_HWPOISON

2023-03-10 09:34:25 +01:00

memory-tiers.c

memory tier: release the new_memtier in find_create_memory_tier()

2023-03-10 09:34:27 +01:00

memory.c

mm: call arch_swap_restore() from do_swap_page()

2023-07-19 16:21:16 +02:00

mempolicy.c

mm/mempolicy: correctly update prev when policy is equal on mbind

2023-05-11 23:03:41 +09:00

mempool.c

mm/mempool: use might_alloc()

2022-06-16 19:48:30 -07:00

memremap.c

mm/memremap.c: map FS_DAX device memory as decrypted

2022-11-08 15:57:23 -08:00

memtest.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

migrate_device.c

mm/migrate_device: return number of migrating pages in args->cpages

2022-11-22 18:50:43 -08:00

migrate.c

mm/migrate: fix wrongly apply write bit after mkdirty on sparc64

2023-02-22 12:59:49 +01:00

mincore.c

mm: teach mincore_hugetlb about pte markers

2023-03-22 13:34:03 +01:00

mlock.c

mm/mlock: drop dead code in count_mm_mlocked_page_nr()

2022-09-26 19:46:27 -07:00

mm_init.c

mm: multi-gen LRU: groundwork

2022-09-26 19:46:09 -07:00

mm_slot.h

mm: introduce common struct mm_slot

2022-10-03 14:02:43 -07:00

mmap_lock.c

mm: mmap_lock: fix disabling preemption directly

2021-07-23 17:43:28 -07:00

mmap.c

mm/mmap: Fix extra maple tree write

2023-07-19 16:22:16 +02:00

mmu_gather.c

mm/khugepaged: fix GUP-fast interaction by sending IPI

2022-11-30 14:49:42 -08:00

mmu_notifier.c

mm/mmu_notifier.c: fix race in mmu_interval_notifier_remove()

2022-04-21 20:01:10 -07:00

mmzone.c

mm: multi-gen LRU: groundwork

2022-09-26 19:46:09 -07:00

mprotect.c

mm/uffd: fix warning without PTE_MARKER_UFFD_WP compiled in

2022-10-12 15:56:46 -07:00

mremap.c

mm, mremap: fix mremap() expanding for vma's with vm_ops->close()

2023-02-09 11:28:22 +01:00

msync.c

mm/msync: use vma_find() instead of vma linked list

2022-09-26 19:46:25 -07:00

nommu.c

xtensa: fix lock_mm_and_find_vma in case VMA not found

2023-07-05 18:27:37 +01:00

oom_kill.c

mm: reduce noise in show_mem for lowmem allocations

2022-09-26 19:46:29 -07:00

page_alloc.c

mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock

2023-04-26 14:28:44 +02:00

page_counter.c

mm: page_counter: remove unneeded atomic ops for low/min

2022-09-11 20:26:01 -07:00

page_ext.c

mm/page_exit: fix kernel doc warning in page_ext_put()

2022-11-22 18:50:41 -08:00

page_idle.c

mm: don't be stuck to rmap lock on reclaim path

2022-05-19 14:08:54 -07:00

page_io.c

use less confusing names for iov_iter direction initializers

2023-02-09 11:28:04 +01:00

page_isolation.c

mm/page_isolation: fix clang deadcode warning

2022-10-28 13:37:22 -07:00

page_owner.c

mm: reuse pageblock_start/end_pfn() macro

2022-10-03 14:03:03 -07:00

page_poison.c

mm: page_poison: print page info when corruption is caught

2021-04-30 11:20:36 -07:00

page_reporting.c

mm/page_reporting: allow driver to specify reporting order

2021-06-29 10:53:47 -07:00

page_reporting.h

mm/page_reporting: export reporting order as module parameter

2021-06-29 10:53:47 -07:00

page_table_check.c

mm: page_table_check: Ensure user pages are not slab pages

2023-06-14 11:15:29 +02:00

page_vma_mapped.c

mm/swap: add swp_offset_pfn() to fetch PFN from swap entry

2022-09-26 19:46:05 -07:00

page-writeback.c

mm: export balance_dirty_pages_ratelimited_flags()

2022-09-26 12:28:07 +02:00

pagewalk.c

Merge tag 'mm-stable-2022-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

2022-10-10 17:53:04 -07:00

percpu-internal.h

percpu: improve percpu_alloc_percpu event trace

2022-05-13 07:20:18 -07:00

percpu-km.c

percpu: flush tlb in pcpu_reclaim_populated()

2021-07-04 18:30:17 +00:00

percpu-stats.c

mm: use vmalloc_array and vcalloc for array allocations

2022-03-08 09:30:46 -05:00

percpu-vm.c

percpu: flush tlb in pcpu_reclaim_populated()

2021-07-04 18:30:17 +00:00

percpu.c

mm: percpu: use kmemleak_ignore_phys() instead of kmemleak_free()

2022-07-17 17:14:47 -07:00

pgalloc-track.h

mm: fix typos in comments

2021-05-07 00:26:35 -07:00

pgtable-generic.c

mm: avoid unnecessary flush on change_huge_pmd()

2022-05-13 07:20:05 -07:00

process_vm_access.c

use less confusing names for iov_iter direction initializers

2023-02-09 11:28:04 +01:00

ptdump.c

mm: pagewalk: Fix race between unmap and page walker

2022-09-03 10:13:13 -07:00

readahead.c

mm: add PSI accounting around ->read_folio and ->readahead calls

2022-09-20 08:24:38 -06:00

rmap.c

mm/hwpoison: convert TTU_IGNORE_HWPOISON to TTU_HWPOISON

2023-03-10 09:34:25 +01:00

rodata_test.c

mm/rodata_test: use PAGE_ALIGNED() helper

2022-10-03 14:03:05 -07:00

secretmem.c

mm/secretmem: remove reduntant return value

2022-10-03 14:03:36 -07:00

shmem.c

shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs

2023-07-19 16:22:11 +02:00

shrinker_debug.c

mm: shrinkers: fix deadlock in shrinker debugfs

2023-02-22 12:59:46 +01:00

shuffle.c

mm/shuffle: convert module_param_call to module_param_cb

2022-10-03 14:03:07 -07:00

shuffle.h

mm/shuffle: fix section mismatch warning

2021-05-22 15:09:07 -10:00

slab_common.c

mm, slab: remove duplicate kernel-doc comment for ksize()

2022-11-07 17:11:27 +01:00

slab.c

mm/slab: Fix undefined init_cache_node_node() for NUMA and !SMP

2023-03-30 12:49:23 +02:00

slab.h

Merge tag 'mm-stable-2022-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

2022-10-10 17:53:04 -07:00

slob.c

Merge branch 'slab/for-6.1/kmalloc_size_roundup' into slab/for-next

2022-09-29 11:30:55 +02:00

slub.c

treewide: use prandom_u32_max() when possible, part 1

2022-10-11 17:42:55 -06:00

sparse-vmemmap.c

mm: hugetlb_vmemmap: move vmemmap code related to HugeTLB to hugetlb_vmemmap.c

2022-08-08 18:06:42 -07:00

sparse.c

mm: memory_hotplug: enumerate all supported section flags

2022-07-03 18:08:49 -07:00

swap_cgroup.c

mm: memcontrol: don't allocate cgroup swap arrays when memcg is disabled

2022-10-03 14:03:36 -07:00

swap_slots.c

mm/swap: convert put_swap_page() to put_swap_folio()

2022-10-03 14:02:46 -07:00

swap_state.c

swap_state: convert free_swap_cache() to use a folio

2022-10-03 14:02:51 -07:00

swap.c

mm: add folio_add_lru_vma()

2022-10-03 14:02:45 -07:00

swap.h

mm: remove lookup_swap_cache()

2022-10-03 14:02:51 -07:00

swapfile.c

mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()

2023-04-13 16:55:36 +02:00

truncate.c

mm: add split_folio()

2022-10-03 14:02:45 -07:00

usercopy.c

mm: Fix copy_from_user_nofault().

2023-06-28 11:12:17 +02:00

userfaultfd.c

mm/shmem: use page_mapping() to detect page cache for uffd continue

2022-11-08 15:57:23 -08:00

util.c

Merge tag 'mm-stable-2022-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

2022-10-10 17:53:04 -07:00

vmalloc.c

mm: kmsan: handle alloc failures in kmsan_vmap_pages_range_noflush()

2023-04-26 14:28:41 +02:00

vmpressure.c

mm/vmpressure: fix data-race with memcg->socket_pressure

2021-11-06 13:30:40 -07:00

vmscan.c

mm: do not reclaim private data from pinned page

2023-05-11 23:03:39 +09:00

vmstat.c

Merge tag 'mm-stable-2022-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

2022-10-10 17:53:04 -07:00

workingset.c

mm: multi-gen LRU: minimal implementation

2022-09-26 19:46:09 -07:00

z3fold.c

mm: Convert all PageMovable users to movable_operations

2022-08-02 12:34:03 -04:00

zbud.c

mm/zbud: add kerneldoc fields for zbud_pool

2021-07-01 11:06:03 -07:00

zpool.c

zpool: remove the list of pools_head

2022-01-15 16:30:31 +02:00

zsmalloc.c

zsmalloc: zs_destroy_pool: add size_class NULL check

2022-10-20 21:27:21 -07:00

zswap.c

zswap: do not shrink if cgroup may not zswap

2023-06-21 16:00:54 +02:00